|
Single Sign-on
Capabilities that would allow a user to enter credentials one time and be able to access all resources in primary and secondary network domains.
Scripting:
Batch files and scripts that contain each user's ID, password and logon commands necessary for each platform.
Because scripts contain credentials, they must be stored in a protected area and the transmission of the scripts must be dealt with carefully.
Kerberos:
Uses symmetric key cryptography and provide end-to-end security
Main components -
- KDC / Key Distribution Center:
Holds all users' and services' cryptographic keys. It provides authentication services, as well as key distribution functionality. The KDC provides security services to entities referred to as principals, that can be users, applications or services.
A ticket is generated by the KDC and given to a principal when that principal needs to authenticate to another principal.
A KDC provides security services for a set of components and principals. This is called realm in Kerberos.
- AS / Authentication Service:
Is the part of the KDC that authenticates a principal
- TGS / Ticket Granting:
Is the part of KDC that makes the tickets and hands them out to the principals.
Weaknesses -
The KDC is a single point of failure
The AS must be able to handle a huge amount of requests.
Secret keys are temporarily stored on users' workstations.
Session keys are decrypted and reside on the users' workstations.
Is vulnerable to password guessing.
Network traffic is not protected
When a user changes his password, it changes the secret key and the KDS needs to be updated.
SESAME:
Uses public key cryptography for the distribution of secret keys.
Uses a ticket for authorization which is called a Privilege Attribute Certificate.
Is vulnerable to password guessing.
Thin Clients:
Dump terminals authenticating to a server.
Access Control Models
Is a framework that dictates how subjects access objects.
DAC / Discretionary Access Control:
Enables the owner of the resource to specify what subjects can access specific resources.
Access is restricted based on the authorization granted to the users.
The most common implementation of DAC is through ACL's
MAC / Mandatory Access Control:
Users are given a security clearance and data is classified.
The classification is stored in the security labels of the resources.
When the system makes a decision about fulfilling a request to access an object, it is based on the clearance of the subject and the classification of the object.
The model is used in environments where information classification and confidentiality is of utmost importance.
|
|
